Microsoft Azure : How-to setup a site-to-site VPN using OpenSwan (on a Telenet SOHO subscription)

Posted on by kvaes

Objective of the day?

We’ll be setting up an IPSec VPN tunnel between Microsoft Azure and a development/management environment using commodity internet connection of a Belgian ISP.

Azure-Site_to_Site_VPN

What will our test environment look like?

  • Private Network : 192.168.0.0/24
  • System running Openswan : 192.168.0.226
  • Private Internet Connection : 81.82.83.84
  • Azure VPN Gateway : 104.40.149.247
  • Test System on Azure : 10.0.0.4
  • Azure Network : 10.0.0.0/24

The steps we’ll be going through?

 

  • Configure Virtual Network on Azure
  • Configure VPN Gateway
  • Configure Openswan
  • Configure NAT Rules on the ISP (Telenet) Router
  • Activate IPSec VPN Tunnel
  • Test Connectivity

Configure Virtual Network on Azure

First we’ll be creating the Azure network. Browse to “Network Services”, “Virtual network” and then “Custom Create”

2015-01-26 07_52_14-Windows Azure

 

Enter the name for your virtual network and choose your region.2015-01-26 07_52_53-Windows Azure

We’ll be using the DNS servers of Azure for this test. So just select “Configure a site-to-site VPN” and “Specify a New Local network”.2015-01-26 07_53_30-Windows Azure

Now we’ll be defining a new “local” network. The term local is seen from “your perspective”, being the network outside of Azure.

Here we’ll enter the external IP address of your own router as the “VPN Device IP Address” and the “address space” will contain the subnets you have on your own internal network.

2015-01-26 07_54_17-Windows Azure

Next we’ll be setting up the “Address Space” that will be used in Azure. We’ll also obliged to enter a gateway.2015-01-26 07_58_37-Networks - Windows Azure

Press the “V” to acknowledge your settings, and the virtual network will be created (which may take a while).

2015-01-26 08_04_38-Networks - Windows Azure

Configure VPN Gateway

Browse to “Networks” to see our newly created network and click on it.2015-01-26 08_05_37-Networks - Windows Azure

Now go to “Dashboard”. You’ll notice that the link isn’t online and that there is an indication that “The gateway was not created.”. So let’s get started…2015-01-26 08_06_01-Networks - Windows Azure

Click on the “Create Gateway” link at the bottom.2015-01-26 08_06_18-Networks - Windows Azure 2015-01-26 08_06_32-

Now Azure will prompt you to ask if you are sure. The reason behind this, is that a VPN gateway comes with a cost (~12€ + bandwidth / Month).2015-01-26 08_06_45-Networks - Windows AzureThe gateway will be created. This action will take quite some time… This is a good time for a coffee/tea/smoke/snack/… or whatever kind of … break you want. 🙂

2015-01-26 08_19_47-Networks - Windows AzureNow that the gateway has been created, the “gateway ip address” is shown ; 104.46.54.52. Note this down, as we’ll be needing it later on… Next up is to press the “Manage Key” link down below, so we can see the “private key”. We’ll be needing this to in order to bring up the tunnel.

2015-01-26 09_01_36-Networks - Windows AzureHere you can “regenerate” a new key or/and copy the key as you’ll need it for the tunnel configuration.

Configure Openswan

A lot of “my mustard” came from the following post ; http://serverfault.com/questions/627637/azure-site-to-site-vpn-with-a-linux-based-router-to-bridge-the-vpn-ports-to-a-rr 

For this labo/demo, I’ll be using a small RaspberryPi installation with Raspbian on it. So let’s get to it…

First let’s install Openswan ;

sudo apt-get install openswan uml-utilities chkconfig

Add the following to your /etc/sysctl.conf

#ipsec vpn tweaks (kvaes)
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Edit your /etc/ipsec.conf config file as following ;

root@raspberrypi:~# cat /etc/ipsec.conf
version 2.0

config setup
    nat_traversal=yes
    virtual_private=%4:192.168.0.0/24
    protostack=auto
    interfaces="ipsec0=eth0"

conn azure
    authby=secret
    auto=start
    type=tunnel
    left=192.168.0.226
    leftsubnet=192.168.0.0/24
    leftnexthop=192.168.0.1
    right=104.46.54.52
    rightsubnet=10.0.0.0/24
    ike=3des-sha1-modp1024,aes128-sha1-modp1024
    esp=3des-sha1,aes128-sha1
    pfs=no

The “left”-side is your internal network and the “right”-side it the Azure side. As the “right”, write the ip address of your Azure VPN Gateway. As the “left”-side”, write the ip address of the device running Openswan.

Now edit your /var/lib/openswan/ipsec.secrets.inc file ;

root@raspberrypi:~# cat /var/lib/openswan/ipsec.secrets.inc
: RSA /etc/ipsec.d/private/raspberrypiKey.pem
192.168.0.226 104.46.54.52: PSK "myLTd29MyPrivateKeyVPtV6f"

The first ip is your “left”, the second your “right, and between quotes you enter your private key.

And now restart your ipsec VPN tunnel ;

root@raspberrypi:~# /etc/init.d/ipsec restart

Configure NAT Rules on the ISP (Telenet) Router

Browse to the admin page of your router. For T, this will be : https://mijn.telenet.be/  and navigate to the advanced settings. On the “network” tab, you can review your internal lan subnet and also the external address (“81.82.83.84”, as a reference).

2015-01-25 19_16_12-Wireless modem - Geavanceerde instellingen

Now browse to “IPv4 Firewall & Port Forwarding”, and we’ll be adding 4 additional NAT rules ;

  • Port 500 : For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
  • Port 4500 : ESP packet will be encapsulated inside a UDP/4500 packet.
  • Port 50 : For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
  • Port 51 : For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.

2015-01-25 19_16_47-Wireless modem - Geavanceerde instellingen

Direct the NAT rules to the system that will host Openswan (in this example; 192.168.0.226). Now configure the NAT rules, and when you are done… press “Save”.  Now you are good to go in terms of the firewall NAT rules.

If you want to test if the ports are working, and you do not have an external machine available, then you can use a tool like ; http://www.yougetsignal.com/tools/open-ports/

Activate IPSec VPN Tunnel

Browse to your virtual network … You will see that the connection is not connected.2015-01-26 10_54_41-Networks - Windows Azure

Press the “Connect”-button below… The link will show “Connecting”.2015-01-26 10_55_09-Networks - Windows Azure

After a while (feel free to take another break) the connection will become “Connected” as shown in via the visualization and as the “Connect”-button became the “Disconnect”-button.2015-01-26 10_57_46-Networks - Windows Azure

Test Connectivity

So far so good! Now let us test… Let’s ping the subnet from our own gateway ;

root@raspberrypi:~# ping 10.0.0.0
PING 10.0.0.0 (10.0.0.0) 56(84) bytes of data.
64 bytes from 10.0.0.0: icmp_req=1 ttl=127 time=16.8 ms
64 bytes from 10.0.0.0: icmp_req=2 ttl=127 time=14.6 ms
64 bytes from 10.0.0.0: icmp_req=3 ttl=127 time=14.4 ms
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 14.480/15.333/16.882/1.106 ms

We receive packets… Now I’m going to start up a test system on my Azure network;

2015-01-26 11_00_40-Virtual machines - Windows AzureAnd again, we’ll wait for it to pop online. The machine has ip address “10.0.0.4”, so let’s see if we can reach it.

root@raspberrypi:~# ping 10.0.0.4
PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data.
64 bytes from 10.0.0.4: icmp_req=1 ttl=63 time=17.3 ms
64 bytes from 10.0.0.4: icmp_req=2 ttl=63 time=15.6 ms
64 bytes from 10.0.0.4: icmp_req=3 ttl=63 time=15.6 ms
64 bytes from 10.0.0.4: icmp_req=4 ttl=63 time=14.8 ms
64 bytes from 10.0.0.4: icmp_req=5 ttl=63 time=14.5 ms
--- 10.0.0.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 14.506/15.582/17.318/0.986 ms

Now let’s try to connect to it…

root@raspberrypi:~# ssh myusername@10.0.0.4
myusername@10.0.0.4's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-75-virtual x86_64)

* Documentation:  https://help.ubuntu.com/

System information as of Mon Jan 26 10:04:19 UTC 2015

System load:  0.24              Processes:           92
Usage of /:   3.1% of 28.83GB   Users logged in:     0
Memory usage: 5%                IP address for eth0: 10.0.0.4
Swap usage:   0%

Graph this data and manage this system at:
https://landscape.canonical.com/

Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Jan 25 18:04:30 2015 from 192.168.0.226
To run a command as administrator (user "root"), use "sudo

And now let’s do the ping the other way…

myusername@KVAESTEST02:~$ ping 192.168.0.226
PING 192.168.0.226 (192.168.0.226) 56(84) bytes of data.
64 bytes from 192.168.0.226: icmp_req=1 ttl=63 time=15.6 ms
64 bytes from 192.168.0.226: icmp_req=2 ttl=63 time=15.2 ms
64 bytes from 192.168.0.226: icmp_req=3 ttl=63 time=17.7 ms
--- 192.168.0.226 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2010ms
rtt min/avg/max/mdev = 15.202/16.204/17.799/1.140 ms

So everything works! Happy VPN-ing… 😀

 

What was the cost of this labo test?

2015-01-26 11_52_34-Gratis proefversie - Windows AzureSo the total ran up to a staggering 0,55€!

Published by kvaes

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.